Affects: Odoo 13.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2021-44460 Component: Core Credits: Xavier Morel
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier allows users with deactivated accounts to
access the system with the deactivated account and any permission it
still holds, via crafted RPC requests.
I. Background
Users can be deactivated as a way to keep the past information about them but
no longer allow them to login into an Odoo database. This is the typical
scenario when an employee leaves the company.
II. Problem Description
Old users could still interact with the database through the API even though
they were no longer able to login through the login form.
A old employee or portal might abuse their past privileges to gain access to
recent information.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Changing the password of deactivated users ensures an old user is no longer
able to craft RPC requests. Updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
Security Advisory - CVE-2021-44460
Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-44460
Component: Core
Credits: Xavier Morel
Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier allows users with deactivated accounts to
access the system with the deactivated account and any permission it
still holds, via crafted RPC requests.
I. Background
Users can be deactivated as a way to keep the past information about them but
no longer allow them to login into an Odoo database. This is the typical
scenario when an employee leaves the company.
II. Problem Description
Old users could still interact with the database through the API even though
they were no longer able to login through the login form.
III. Impact
Attack Vector: Network exploitable
Authentication: Deactivated user account required
CVSS3 Score: High :: 7.4
CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
A old employee or portal might abuse their past privileges to gain access to
recent information.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Changing the password of deactivated users ensures an old user is no longer
able to craft RPC requests. Updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
The text was updated successfully, but these errors were encountered: